Tag: APSA13-02

FireEye team has report a new Adobe Reader and Acrobat zero day exploited in the wild. This new 0day allow exploitation of the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1 with sandbox bypass. In the information’s provided on FireEye blog post, it seem that two DLLs are dropped by the malicious PDF and that fake error message appears.

In the screenshot provided by FireEye, who don’t provide a lot of details, we can see a call to a “/index.php” page, which will potentially mean that the PDF 0day is streamed from the PHP file. Also we can observe that the involved user agent is MSIE 7 (aka Internet Explorer 7) under windows NT 5.1 (aka Windows XP).

Adobe Security Advisory APSA13-02

Adobe PSIRT has release a security advisory APSA13-02 regarding two vulnerabilities CVE-2013-0640 (base CVSS score of 9.3) and CVE-2013-0641 (base CVSS score of 9.3) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. Also this security advisory confirm the exploitation of these vulnerabilities in targeted attacks through spear phishing campaign. Adobe is working on the issue and will provide updated versions asap. Affected softwares are:

Regarding Adobe security advisory, the vendor recommend, for users of Adobe Reader XI and Acrobat XI for Windows, as workaround to enable “Protected View“. To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu. The problem is that despite “Protected Mode” is activated, and as discussed on Twitter with @artem_i_baranov, and also mentioned by Ars Technica, “Protected View” is off when using the default version.

Also some special cases, for some specific languages and only with Reader 9.502 or 10.104, are forced.

I also can confirm that the code is heavily obfuscated with bunch of variable and functions names in Italian, like “dIAVOLO”, “bENEDETTO”, “sENTIRSI”, “aPPARENZA”, “fISAMENTE”, “pRESUNSI”, “cOCOLLE”, “sCHIUMA”, “pENITENZA”, etc.